"The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information of DoD personnel maintained by a single commercial vendor that provided travel management services to the department," he says. "This vendor was performing a small percentage of the overall travel management services of DOD."

The breach, which appears to have affected 30,000 military and civilian personnel, resulted in some of their personal information and payment card data being compromised, the Associated Press first reported.

The Pentagon says its leadership was informed about the breach on Oct. 4 by one of the department's cybersecurity teams. AP reports that the breach may have begun months prior.

Buccino says that the Pentagon will not name the vendor that suffered the breach, due to security concerns and ongoing contracts. But he tells AP that the Defense Department "has taken steps to have the vendor cease performance under its contracts."

"The Department is continuing to assess the risk of harm," Buccino tells ISMG. "While additional information about this incident is being gathered, the department is assessing further remedial measures."

The review was driven by the U.S. military having "plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems," GAO says in its report summary.

For too long, however, GAO says that for U.S. weapon system developers, cybersecurity has been an afterthought, and that projects for which information security deficiencies get identified have too often been ignored or downplayed as not having arisen from realistic potential attack scenarios.

"Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritize weapon systems cybersecurity," GAO says, while noting that the military has belatedly been getting its act together. "Finally, DoD is still determining how best to address weapon systems cybersecurity."

Embedded software and IT systems are pervasive in weapon systems, as represented by this fictitious weapon system. (Source: GAO)

Even so, GAO says that penetration testing reports that it reviewed found that weapons could be subverted. "Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO says. "In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."

One example: A report showed that testers were able to guess the administrator password for a weapon system in just 9 seconds, although GAO notes that this speed isn't a useful metric, because it doesn't distinguish between guessing or the use of highly automated attack tools.

Password Security Deficit

The bigger-picture problem, however, is a poor approach to password security, it says.

"Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software," GAO says. "Multiple test teams reported using free, publicly available information or software downloaded from the internet to avoid or defeat weapon system security controls."

But one report caveat voiced by Jake Williams, a former member of the U.S. National Security Agency's hacking unit who now runs security consultancy Rendition Infosec in Augusta, Georgia, is that it's not clear how easy it might be for cyberattackers to access various weapon systems.

"The GAO report authors have failed to distinguish between 'remotely exploitable' and 'exploitable from the internet,'" Williams says in a recent SANS Institute email newsletter. "These are two very different things."

It's not clear whether this omission was intentional or if "the data to clarify what was meant by 'remote access' simply wasn't available" in the reports reviewed by GAO, Williams says. "While many weapon systems are remotely exploitable, this can only be done from a privileged position in the network - one which usually requires physical access."

Attack Detection: OPM Case Study

Another problem for Defense Department weapon systems noted in the GAO report was detecting when an attack was occurring or may have occurred.

"A common way to detect cyber activity is to review logs of system activity looking for unusual occurrences," GAO says. "Multiple test reports indicated that test team activity was documented in system logs, but operators did not review them. One test report noted that the system had no documented procedures for reviewing logs.

As an example of what can happen when administrators are not actively looking for attacks, GAO referenced the biggest known U.S. government data breach to date: the cyberattack against the Office of Personnel Management that started in December 2014 that wasn't detected until April 2015. "Attackers exfiltrated personnel files of 4.2 million government employees, security clearance background information on 21 million individuals and fingerprint data of 5.6 million of these individuals," GAO says (see Stolen OPM Fingerprints: What's the Risk?).

"Attackers used a contractor's OPM credentials to log into the OPM system, installed malware, and created a backdoor to the network. These attackers were in OPM's networks for at least 14 months. Over 2,000 pieces of malware were later identified on OPM devices."

Last year, the FBI arrested Yu Pingan, a Chinese national, on charges that he was a "malware broker" who distributed a remote-access Trojan called Sakula that has been tied to multiple mega-breaches, including attacks against OPM as well as health insurer Anthem, which exposed personal information for 80 million individuals in the United States.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;